The present invention relates generally to computer software, and more particularly, to a system and method for storing data in a tamper proof storage.
In today's computer network environment, large volumes of data are customarily stored and used by various software applications. Data management has become an essential task for many data intensive industries. A smooth business operation depends both on the efficiency and security of the use of the stored data. From the perspective of data management, a database administrator (DBA) is powerful in that he usually has full access to the entire database and all contents stored therein. He can read, write and modify any data stored in the database. In a normal situation, the DBA is endowed with the highest level of trust because of his enormous responsibility. In certain cases, it is desirable to store data in a database in a secure way such that even a privileged user like the DBA should not be able to modify records without detection. For example, it is very important to protect a monotonically increased audit trail which records actions taken by a user along with his identity against modifications. No one should be able to modify this trail, thus an independent auditor can trace any user's, even the DBA's, actions relating to the database, whereby the integrity and the security of the database are greatly enhanced.
The normal practice consists of reading audit trail data in a database directly through SQL, JDBC or any such standard client program. Several conventional methods are used for protecting the integrity of the audit trail in a database system. For example, the entire audit trail can be encrypted. Although this encryption prevents access to the trail by the DBA, it does not prevent him from deleting certain records without being detected. Also it hinders the normal practice of reading the trail by users of the database.
As an alternative solution, the audit trail can be validated by a signing process. The signing process corresponds to a digital signature operation which is well known in the industry. This signing process for generating a signature involves taking a message of any length, forming an “imprint” of the message to a fixed length by hashing, and mathematically transforming the hash using cryptographic techniques. While the signature can be generated only by the signer, any other user can verify the generated signature. If a trail for which the signature is attached has been tampered with, the verifier cannot successfully validate the digital signature. The signing process is directed to the entire trail, not a specific record in it. Under a typical scenario, after all the existing records have been collated, a signature is then generated for the entire trail, and the resulting signature is put in a secure place. Therefore, every time a new record is added to the database, the audit trail is signed again. This method has a heavy processing and computational overhead as the entire audit trail needs to be accessed and signed every time a record is added.
In another alternative solution, the records can be validated by requiring a signature of each record. This method validates the individual records but still fails to prevent the DBA from deleting records without detection.
The process of auditing a database audit trail is expected to conform to “four eyes principle.” This means that there can be two or more auditors who separately and independently track a database audit trail. The audit trail starts with the joint participation of all the auditors. The auditors are supposed to maintain a “non-trusting” attitude towards each other and strictly track the audit trail for database integrity. All solutions to tamper-proof storage discussed in the above paragraphs are presented in the single auditor framework and hence cannot be applicable to auditing process that requires “four eyes principle.”
What is needed is an efficient method and system for supporting a secure database system so that any modifications of the audit trail in a database system by any user, including the privileged user like the DBA, would be detectable. The proposed method and system should also support “four eyes principle” for auditing.